an option to specify an on-demand virus scanner like ClamAV would be a really neat feature.
That way, each file (or batch of files) could be passed to the virus scanner before it gets transferred to its final destination.
Note that this feature should be selectable for both up- and downloads to really make sense.

The issue with such virus scanners is that they work as on-access scanners, and you should never run more than one on-access scanner simultaneously. (Attempting to run two or more is likely to cause problems as they plug into the operating system's file access routines, and expect to be the only on-access scanner on a given computer. The usual results: spontaneous system crashes, slowdown, and even a lower detection rate)

On the other hand, on-demand scanners, like ClamAV/ClamWin, or the on-demand components of commercial AV's, can easily be "stacked", for example in a simple *.cmd.
This greatly improves the detection rate.
The downside is that you have to remember that you need to explicitly request a scan by calling the *.cmd.

Adding an option to WinSCP would automate this step.
I would suggest adding an option
"Command to be executed after download/before upload", with a placeholder like %f for the file name.
So, for example, the user would specify
"C:\Program Files\AntiVirus\Antivirus.cmd %f" if using a *.cmd, or maybe "C:\Program Files\MyFavoriteAntiVirus\mfav.exe -f %f --yap"
("yap" = yet another parameter )

Upon completion, the return code should be checked.
I'm not sure if there's a common standard among Anti-Virus vendors as to which return code means what, so it might be useful to provide a field prompting for a numeric value that indicates a "clean" scan result.

NB: Certain Instant Messaging programs like AIM and Trillian already offer such a scanning option for their file transfer features.